New WannaCry Ransomware Variants Identified

The version of WannaCry ransomware used in Friday’s attacks has been blocked, although new WannaCry ransomware variants have been detected.

U.S Escapes WannaCry Relatively Unscathed

The total number of computers infected with WannaCry ransomware is now believed to be around 300,000, although the United States escaped relatively unscathed, according to the U.S. Department of Homeland Security (DHS).

While it is still unclear exactly how many U.S. organizations have been affected, fewer than 10 organizations have reported a WannaCry ransomware attack to DHS.

The ransomware attacks have now stopped, although organizations that have experienced an infection that has resulted in files being encrypted must recover those files from a backup, accept data loss, or pay the attackers for the decryption keys.

The attackers have so far made around $81,000 from their ransomware campaign, according to @actual_ransom. With a ransom payment of $300 per infected device, many payments have already been made; however, given the number of devices locked by the ransomware, most victims are not paying the attackers to unlock their files.

WannaCry ransomware encryptions were stopped when a security researcher (Malware Tech) from the UK discovered a kill switch while investigating the worm code. In an apparent effort to avoid running in a sandbox or virtual environment, a check was performed on a nonsense domain. If a connection to that domain was successful, the ransomware would exit. If connection to the unregistered domain failed, the ransomware would proceed and encrypt files. By registering that domain, Malware Tech stopped further encryptions.

WannaCry Victims Appear to Have Been Contacted by the Attackers

In an apparent effort to increase the profits from the campaign, the attackers have generated pop up messages on affected computers saying, “I have already sent decryption keys to many customers who had sent me the correct amounts of bitcoin, and I guarantee the decryptions for such honest customers.” While this message could indicate the attacker has access to infected computers, it is possible that the message was pre-programmed to appear.

Paying ransom demands only encourages attackers to conduct further attacks. Ransom payments can be used by the attackers to fund further ransomware campaigns. There is also no guarantee that the attackers will supply valid keys to unlock data, even if they say they will. The advice from the Federal Bureau of Investigation (FBI) is never to pay a ransom unless it is absolutely necessary.

New WannaCry Ransomware Variants Detected

While the version of WannaCry ransomware used in Friday’s attacks has been stopped, that is not the only version of the ransomware being used. New WannaCry ransomware variants have been identified.

A second version was identified by researcher Matt Suiche. This version also included a kill switch, but used a different domain. Suiche registered that second domain and prevented 10,000 infected machines from having files encrypted.

A third version of Wannacry ransomware was also identified by Kaspersky Lab without the kill switch, although in that case, the ransomware component had been corrupted and infected computers would not have data encrypted.

The WannaCry attacks used the ETERNALBLUE exploit published by Shadow Brokers last month, which takes advantage of a vulnerability in Microsoft Server Message Block 1.0 (SMBv1). The threat from WannaCry may be temporarily over, although WannaCry is not the only threat that uses the ETERNALBLUE exploit and the DoublePulsar backdoor.

Researchers at Proofpoint have identified another threat that similarly uses the exploit to gain access to computers. In this case, the goal is not to encrypt files or even steal data. The attackers install Adylkuzz – a program that hogs computer resources and mines the cryptocurrency Monero.

How to Block the ETERNALBLUE Exploit

Other cybercriminals may also be using the ETERNALBLUE exploit and new WannaCry ransomware variants may be released without the kill switch. To block attacks, organizations should ensure that the MS17-010 patch is applied to plug the vulnerability. Older operating systems (Windows 8, Windows Server 2003, and Windows XP) can also be patched and protected against WannaCry ransomware attacks and other malware that use the ETERNALBLUE exploit. Any organization that has port 445 open should also ensure the port is closed, and if SMB must be used over the Internet, SMB should be used through an internal network via a VPN.